prommetrix.py 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-"
  3. """
  4. Prommetrix - Tool to obtain relevant information from the instances of 'Node Exporter' executed by 'Prometheus' - 2024 - by psy (https://03c8.net)
  5. ----------
  6. Prometheus is an open-source, metrics-based event monitoring and alerting solution for cloud applications. It is used by nearly 800 cloud-native organizations including Uber, Slack, Robinhood, and more. By scraping real-time metrics from various endpoints, Prometheus allows easy observation of a system’s state in addition to observation of hardware and software metrics such as memory usage, network usage and software-specific defined metrics (ex. number of failed login attempts to a web application).
  7. - https://prometheus.io/docs/guides/node-exporter/
  8. Since the numeric metrics captured by Prometheus are not considered sensitive data, Prometheus has held an understandable policy of avoiding built-in support for security features such as authentication and encryption, in order to focus on developing the monitoring-related features. This changed less than a year ago (Jan 2021), on the release of version 2.24.0 where Transport Layer Security (TLS) and basic authentication support were introduced.
  9. Due to the fact that authentication and encryption support is relatively new, many organizations that use Prometheus haven’t yet enabled these features and thus many Prometheus endpoints are completely exposed to the Internet (e.g. endpoints that run earlier versions), leaking metric and label data.
  10. ----------
  11. Dork (using default port):
  12. - inurl:":9100/metrics"
  13. ----------
  14. This vulnerabily can be described in a Pentest/Report like:
  15. - PRM-01-001 Client: Clients leak Metrics data through unprotected endpoint (LOW)
  16. "Metric data are to be collected for some services and these items need to implement a
  17. client-library that enables the core Prometheus service to scrape the data. The client-
  18. library opens a minimal HTTP server and exposes a route which is then registered with
  19. the core service for scraping. This endpoint is unauthenticated by default, which allows
  20. anybody who knows the URI to read the metric data. It is recommended to put some
  21. form of authentication in place. Only the core Prometheus service should be allowed to
  22. read the metric data."
  23. ----------
  24. Prommetrix - will take advantage of these metrics to obtain relevant information from the Prometheus instance, as well as, of the machine in which it is running.
  25. [!] The information obtained can be used to build other types of attacks over the different pieces of software/versions exposed (ex: CVE).
  26. ----------
  27. You should have received a copy of the GNU General Public License along
  28. with Prommetrix; if not, write to the Free Software Foundation, Inc., 51
  29. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  30. """
  31. VERSION=str(0.2)
  32. import os, sys, requests, random, re
  33. def banner():
  34. print(r'''====================================================================
  35. ___ _ ___ __
  36. | _ \ _ __ ___ _ __ ___ _ __ ___ ___| |_ _ __(_) \/ /
  37. | |_) | '__/ _ \| '_ ` _ \| '_ ` _ \ / _ \ __| '__| |\ /
  38. | __/| | | (_) | | | | | | | | | | | __/ |_| | | |/ \
  39. |_| |_| \___/|_| |_| |_|_| |_| |_|\___|\__|_| |_/_/\_\
  40. (v'''+VERSION+''') by psy (https://03c8.net) | 2024
  41. Source Code:
  42. - Official: https://code.03c8.net/epsylon/prommetrix
  43. - Mirror: https://github.com/epsylon/prommetrix
  44. Usage:
  45. python3 prommetrix.py --target <IP> --port <PORT> (default: 9100)
  46. ====================================================================''')
  47. def init():
  48. if "--target" in sys.argv:
  49. print("")
  50. banner()
  51. user_agent_list = [
  52. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36',
  53. 'Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1',
  54. 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)',
  55. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75',
  56. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363',
  57. ]
  58. headers={"User-Agent": user_agent_list[random.randint(0, len(user_agent_list)-1)]}
  59. try:
  60. if "--port" in sys.argv:
  61. r = requests.get("http://"+sys.argv[2]+":"+sys.argv[4]+"/metrics", headers=headers)
  62. else:
  63. r = requests.get("http://"+sys.argv[2]+":9100"+"/metrics", headers=headers)
  64. except:
  65. print("")
  66. banner()
  67. sys.exit(2)
  68. if r.status_code != 200:
  69. print("\n[ERROR] Not any 'Prometheus' have been detected <-> ABORTING!\n")
  70. banner()
  71. sys.exit(2)
  72. else:
  73. with open('tmp.txt','w') as fd:
  74. metrics= re.sub(r'^#.*\n?', '', r.text, flags=re.MULTILINE)
  75. fd.write(metrics)
  76. r_text = open("tmp.txt", "r").read()
  77. print("\n[INFO] 'Prometheus' detected at: "+sys.argv[2]+" <-> EXPOSING!\n")
  78. print(" - Metrics path:")
  79. print(" - URL: "+r.url)
  80. print("\n - 'Go' (environment):")
  81. print(" - Version: "+r_text.split('go_info{version="')[1].split('"}')[0])
  82. node_exporter_build_branch = r_text.split('node_exporter_build_info{branch="')[1].split('"')[0]
  83. node_exporter_build_goversion = r_text.split('goversion="')[1].split('"')[0]
  84. node_exporter_build_revision = r_text.split('revision="')[1].split('"')[0]
  85. node_exporter_build_version = r_text.split('version="')[1].split('"')[0]
  86. try:
  87. node_dmi_bios_date = r_text.split('node_dmi_info{bios_date="')[1].split('"')[0]
  88. node_dmi_bios_release = r_text.split('bios_release="')[1].split('"')[0]
  89. node_dmi_bios_version = r_text.split('bios_version="')[1].split('"')[0]
  90. node_dmi_bios_vendor = r_text.split('bios_vendor="')[1].split('"')[0]
  91. system_flag = True
  92. bios_flag = True
  93. except:
  94. node_dmi_bios_date = None
  95. node_dmi_bios_release = None
  96. node_dmi_bios_version = None
  97. node_dmi_bios_vendor = None
  98. system_flag = False
  99. bios_flag = False
  100. try:
  101. node_os_build = r_text.split('node_os_info{build_id="')[1].split('",id')[0]
  102. node_os_id = r_text.split(',id="')[1].split('",id_like')[0]
  103. node_os_id_like = r_text.split('id_like="')[1].split('",image_id')[0]
  104. node_os_image_id = r_text.split('image_id="')[1].split('",image_version')[0]
  105. node_os_image_version = r_text.split('image_version="')[1].split('",name')[0]
  106. node_os_pretty_name = r_text.split('pretty_name="')[1].split('",variant')[0]
  107. node_os_variant = r_text.split('variant="')[1].split('",variant_id')[0]
  108. node_os_variant_id = r_text.split('variant_id="')[1].split('",version')[0]
  109. node_os_version_codename = r_text.split('version_codename="')[1].split('",version_id')[0]
  110. node_os_version_id = r_text.split('version_id="')[1].split('"}')[0]
  111. os_flag = True
  112. except:
  113. node_os_build = None
  114. node_os_id = None
  115. node_os_id_like = None
  116. node_os_image_id = None
  117. node_os_image_version = None
  118. node_os_name = None
  119. node_os_pretty_name = None
  120. node_os_variant = None
  121. node_os_variant_id = None
  122. node_os_version_codename = None
  123. node_os_version_id = None
  124. os_flag = False
  125. try:
  126. node_dmi_board_asset_tag = r_text.split('board_asset_tag="')[1].split('"')[0]
  127. node_dmi_board_name = r_text.split('board_name="')[1].split('"')[0]
  128. node_dmi_board_version = r_text.split('board_version="')[1].split('"')[0]
  129. node_dmi_board_vendor = r_text.split('board_vendor="')[1].split('"')[0]
  130. node_dmi_chassis_asset_tag = r_text.split('chassis_asset_tag="')[1].split('"')[0]
  131. node_dmi_chassis_version = r_text.split('chassis_version="')[1].split('"')[0]
  132. node_dmi_chassis_vendor = r_text.split('chassis_vendor="')[1].split('"')[0]
  133. node_dmi_product_family = r_text.split('product_family="')[1].split('"')[0]
  134. node_dmi_product_name = r_text.split('product_name="')[1].split('"')[0]
  135. node_dmi_product_sku = r_text.split('product_sku="')[1].split('"')[0]
  136. node_dmi_product_version = r_text.split('product_version="')[1].split('"')[0]
  137. node_dmi_system_vendor = r_text.split('system_vendor="')[1].split('"')[0]
  138. board_flag = True
  139. except:
  140. node_dmi_board_asset_tag = None
  141. node_dmi_board_name = None
  142. node_dmi_board_version = None
  143. node_dmi_board_vendor = None
  144. node_dmi_chassis_asset_tag = None
  145. node_dmi_chassis_version = None
  146. node_dmi_chassis_vendor = None
  147. node_dmi_product_family = None
  148. node_dmi_product_name = None
  149. node_dmi_product_sku = None
  150. node_dmi_product_version = None
  151. node_dmi_system_vendor = None
  152. board_flag = False
  153. node_cpus = r_text.split('node_softnet_dropped_total{cpu="')
  154. node_uname_info_domainname = r_text.split('node_uname_info{domainname="')[1].split('"')[0]
  155. node_uname_info_machine = r_text.split('machine="')[1].split('",nodename')[0]
  156. node_uname_info_nodename = r_text.split('nodename="')[1].split('",release')[0]
  157. node_uname_info_release = r_text.split(',release="')[1].split('",sysname')[0]
  158. node_uname_info_sysname = r_text.split(',sysname="')[1].split('",version')[0]
  159. node_uname_info_version = r_text.split('version="#')[1].split('"} ')[0]
  160. try:
  161. node_time_zone = r_text.split('node_time_zone_offset_seconds{time_zone="')[1].split('"')[0]
  162. time_zone_flag = True
  163. except:
  164. node_time_zone = None
  165. time_zone_flag = False
  166. print("\n - 'Node Export' (build):")
  167. if node_exporter_build_branch:
  168. print(" - Branch: "+node_exporter_build_branch)
  169. if node_exporter_build_revision:
  170. print(" - Revision: "+node_exporter_build_revision)
  171. if node_exporter_build_version:
  172. print(" - Version: "+node_exporter_build_version)
  173. if node_cpus:
  174. print("\n - CPUs (total):")
  175. node_cpus_number = 0
  176. for d in node_cpus[1:]:
  177. node_cpus_number = node_cpus_number + 1
  178. print(" - "+str(node_cpus_number))
  179. if system_flag == True:
  180. print("\n - SYSTEM:")
  181. if node_dmi_bios_vendor:
  182. print(" - Vendor: "+node_dmi_bios_vendor)
  183. if bios_flag == True:
  184. print("\n - BIOS:")
  185. if node_dmi_bios_date:
  186. print(" - Date: "+node_dmi_bios_date)
  187. if node_dmi_bios_release:
  188. print(" - Release: "+node_dmi_bios_release)
  189. if node_dmi_bios_version:
  190. print(" - Version: "+node_dmi_bios_version)
  191. if os_flag == True:
  192. print("\n - OS:")
  193. if node_os_build:
  194. print(" - Build ID: "+node_os_build)
  195. if node_os_id:
  196. print(" - ID: "+node_os_id)
  197. if node_os_id_like:
  198. print(" - ID Like: "+node_os_id_like)
  199. if node_os_image_id:
  200. print(" - Image ID: "+node_os_image_id)
  201. if node_os_image_version:
  202. print(" - Image version: "+node_os_image_version)
  203. if node_os_pretty_name:
  204. print(" - Name: "+node_os_pretty_name)
  205. if node_os_variant:
  206. print(" - Variant: "+node_os_variant)
  207. if node_os_variant_id:
  208. print(" - Variant ID: "+node_os_variant_id)
  209. if node_os_version_codename:
  210. print(" - Version codename: "+node_os_version_codename)
  211. if node_os_version_id:
  212. print(" - Version ID: "+node_os_version_id)
  213. print("\n - UNAME:")
  214. if node_uname_info_domainname:
  215. print(" - Domainname: "+node_uname_info_domainname)
  216. if node_uname_info_machine:
  217. print(" - Machine: "+node_uname_info_machine)
  218. if node_uname_info_nodename:
  219. print(" - Nodename: "+node_uname_info_nodename)
  220. if node_uname_info_release:
  221. print(" - Release: "+node_uname_info_release)
  222. if node_uname_info_sysname:
  223. print(" - Sysname: "+node_uname_info_sysname)
  224. if node_uname_info_version:
  225. print(" - Version: "+node_uname_info_version)
  226. if time_zone_flag == True:
  227. if node_time_zone:
  228. print("\n - TIMEZONE:")
  229. print(" - Location: "+node_time_zone)
  230. if board_flag == True:
  231. print("\n - BOARD:")
  232. if node_dmi_board_asset_tag:
  233. print(" - TAG: "+node_dmi_board_asset_tag)
  234. if node_dmi_board_name:
  235. print(" - Name: "+node_dmi_board_name)
  236. if node_dmi_board_vendor:
  237. print(" - Vendor: "+node_dmi_board_vendor)
  238. if node_dmi_board_version:
  239. print(" - Version: "+node_dmi_board_version)
  240. print("\n - CHASSIS:")
  241. if node_dmi_chassis_asset_tag:
  242. print(" - TAG: "+node_dmi_chassis_asset_tag)
  243. if node_dmi_chassis_vendor:
  244. print(" - Vendor: "+node_dmi_chassis_vendor)
  245. if node_dmi_chassis_version:
  246. print(" - Version: "+node_dmi_chassis_version)
  247. print("\n - PRODUCT:")
  248. if node_dmi_product_family:
  249. print(" - Family: "+node_dmi_product_family)
  250. if node_dmi_product_name:
  251. print(" - Name: "+node_dmi_product_name)
  252. if node_dmi_product_sku:
  253. print(" - SKU: "+node_dmi_product_sku)
  254. if node_dmi_product_version:
  255. print(" - Version: "+node_dmi_product_version)
  256. try:
  257. node_selinux = r_text.split('node_selinux_enabled')
  258. node_selinux_flag = True
  259. except:
  260. node_selinux_flag = False
  261. if node_selinux_flag == True:
  262. print("\n - SELINUX:")
  263. if node_selinux == 1:
  264. print(" - Status: ON")
  265. else:
  266. print(" - Status: OFF")
  267. try:
  268. node_disk_info_devices = r_text.split('node_disk_info{device="')
  269. node_disk_info_devices_flag = True
  270. except:
  271. node_disk_info_devices_flag = False
  272. if node_disk_info_devices_flag == True:
  273. if node_disk_info_devices:
  274. print("\n - Info of /sys/block/<block_device>:")
  275. for d in node_disk_info_devices[1:]:
  276. node_disk_info_device = d.split('"')[0]
  277. print(" - "+node_disk_info_device)
  278. node_disk_filesystem_devices = r_text.split('node_filesystem_files_free{device="')
  279. if node_disk_filesystem_devices:
  280. print("\n - Info of node_filesystem_files:")
  281. for d in node_disk_filesystem_devices[1:]:
  282. node_disk_filesystem_device = d.split('} ')[0]
  283. print(" - "+node_disk_filesystem_device)
  284. node_network_iface_id_devices = r_text.split('node_network_iface_id{device="')
  285. if node_network_iface_id_devices:
  286. print("\n - NETWORK devices:")
  287. for d in node_network_iface_id_devices[1:]:
  288. node_network_iface_id_device = d.split('"')[0]
  289. print(" - "+node_network_iface_id_device)
  290. node_network_info_devices = r_text.split('node_network_info{')
  291. if node_network_info_devices:
  292. print("\n - NETWORK entries by device:")
  293. for d in node_network_info_devices[1:]:
  294. node_network_info_device = d.split('} ')[0]
  295. print(" - "+node_network_info_device)
  296. node_arp_devices = r_text.split('node_arp_entries{device="')
  297. if node_arp_devices:
  298. print("\n - ARP entries by device:")
  299. for d in node_arp_devices[1:]:
  300. arp_device = d.split('"')[0]
  301. print(" - "+arp_device)
  302. print("\n - PROMETHEUS HTTP_metrics:")
  303. promhttp_metric_handler_errors_total_encoding = r_text.split('promhttp_metric_handler_errors_total{cause="encoding"}')[1].split("\n")[0]
  304. promhttp_metric_handler_errors_total_gathering = r_text.split('promhttp_metric_handler_errors_total{cause="gathering"}')[1].split("\n")[0]
  305. promhttp_metric_handler_requests_in_flight = r_text.split('promhttp_metric_handler_requests_in_flight')[1].split("\n")[0]
  306. promhttp_metric_handler_requests_total_200 = r_text.split('promhttp_metric_handler_requests_total{code="200"}')[1].split("\n")[0]
  307. promhttp_metric_handler_requests_total_500 = r_text.split('promhttp_metric_handler_requests_total{code="500"}')[1].split("\n")[0]
  308. promhttp_metric_handler_requests_total_503 = r_text.split('promhttp_metric_handler_requests_total{code="503"}')[1].split("\n")[0]
  309. print(" - HTTP-200 (OK) : "+promhttp_metric_handler_requests_total_200)
  310. print(" - HTTP-500 (FAIL) : "+promhttp_metric_handler_requests_total_500)
  311. print(" - HTTP-503 (FAIL) : "+promhttp_metric_handler_requests_total_503)
  312. print(" - ENCODING (FAIL) : "+promhttp_metric_handler_errors_total_encoding)
  313. print(" - GHATERING (FAIL): "+promhttp_metric_handler_errors_total_gathering)
  314. print("")
  315. else:
  316. print("")
  317. banner()
  318. if os.path.exists("tmp.txt"):
  319. os.remove("tmp.txt")
  320. init()